Configuring Windows 2012 Private VLAN (PVLAN)

Among the new features brought by Widows 2012 Hyper-v 3.0 Extendable switch Is the support of PVLAN creation , you can find information about hyper-v extendable features on TechNet , PVLAN are kind of VLANS inside a VLAN a good article to understanding of PVLAN can be found at http://blog.ine.com/tag/private-vlan/ , PVLAN allows Administrators to Prevent hosts from communicating to each other even through they are located in the Same VLAN and using the Same IP Address Class.

Cisco definition of PVLAN  “A PVLAN is a VLAN with configuration for Layer 2 isolation from other ports within the same broadcast domain or subnet. You can assign a specific set of ports within a PVLAN and thereby control access among the ports at Layer 2. You can configure PVLANs and normal VLANs on the same switch.

There are three types of PVLAN ports: promiscuous, isolated, and community.

  • A promiscuous port communicates with all other PVLAN ports. The promiscuous port is the port that you typically use to communicate with external routers, LocalDirectors, network management devices, backup servers, administrative workstations, and other devices.

  • An isolated port has complete Layer 2 separation from other ports within the same PVLAN. This separation includes broadcasts, and the only exception is the promiscuous port. A privacy grant at the Layer 2 level occurs with the block of outgoing traffic to all isolated ports. Traffic that comes from an isolated port forwards to all promiscuous ports only.

  • Community ports can communicate with each other and with the promiscuous ports. These ports have Layer 2 isolation from all other ports in other communities, or isolated ports within the PVLAN. Broadcasts propagate only between associated community ports and the promiscuous port. “

To demonstrate PVLAN configuration we will create four VMs SRV1,SRV2,SRV3 and SRV4  all VM are connected to the same Hyper-v Switch and will be assigned to Primary VLAN 55 . we will configure PVLAN using secondary VLAN 10, 11 to create Isolation as following :

SRV1: configured in  promiscuous mode and hence all VMs can communicate with it

SRV2: configured in  Isolated  mode and hence can communicate only with SRV1

SRV3: Configured in  Community mode and hence can communicate with SRV1,SRV4

SRV4: Configured in  Community mode and hence can communicate with SRV1,SRV3

PVLAN

Using the Get-VMNetworkAdapterVlan  PowerShell command you can  get your VM Current VM Assignment , the output of the command will show the list of VLANs  that VM Belong to in the VLANList column.

Get-VMNetworkAdapterVlan srv1

VMName VMNetworkAdapterName Mode   VlanList
—— ——————– —-   ——–
SRV1   SRV1                 Access 0

 Note: To clear VLAN configuration for VM and restore the default settings use

Set-VMNetworkAdapterVlan -VMName srv1 -Access -VlanId 0

Configure SRV1:

1. check Information about VM Network Adapter

Get-VMNetworkAdapter -VMName srv1

Name IsManagementOs VMName SwitchName       MacAddress   Status IPAddresses
—- ————– —— ———-       ———-   —— ———–
SRV1 False          SRV1   Intel2 TrunK VSW 00155D0F271D {Ok}   {172.16.55.1, fe80::3897:d606:5706:4f46}

2. Check VM VLAN Configuration

Get-VMNetworkAdaptervlan -VMName srv1

VMName VMNetworkAdapterName Mode   VlanList
—— ——————– —-   ——–
SRV1   SRV1                 Access 0

3. Set SRV1 Port to  trunk mode and set Primary Vlan ID and Allowed Vlan list

Set-VMNetworkAdapterVlan -VMName srv1 -Trunk -AllowedVlanIdList “55,10,11” -NativeVlanId 55

4.Set PVLAN port mode , assign Primary Vlan ID and secondary Vlan IDs

Set-VMNetworkAdapterVlan -VMName srv1 -Promiscuous -PrimaryVlanId 55 -SecondaryVlanIdList 10-11

4. check your Configuration

Get-VMNetworkAdapterVlan -VMName srv1

VMName VMNetworkAdapterName Mode        VlanList
—— ——————– —-        ——–
SRV1   SRV1                 Promiscuous 55,10-11

Configure SRV2:

1. Check SRV VM configuration

Get-VMNetworkAdapter -VMName srv2

Name IsManagementOs VMName SwitchName       MacAddress   Status IPAddresses
—- ————– —— ———-       ———-   —— ———–
SRV2 False          SRV2   Intel2 TrunK VSW 00155D0F271C {Ok}   {172.16.55.2, fe80::19dd:7129:ae76:4608}

Get-VMNetworkAdaptervlan -VMName srv2

VMName VMNetworkAdapterName Mode   VlanList
—— ——————– —-   ——–
SRV2   SRV2                 Access 0

2. Set PVLAN Mode and configure Primary Vlan Id and Secondary Vlan Id

Set-VMNetworkAdapterVlan -VMName srv2 -VMNetworkAdapterName srv2 -Isolated -PrimaryVlanId 55 -SecondaryVlanId 10

3. Check VM configuration

Get-VMNetworkAdapterVlan -VMName srv2

VMName VMNetworkAdapterName Mode     VlanList
—— ——————– —-     ——–
SRV2   SRV2                 Isolated 55,10

Configure SRV3 & SRV 4 PVLAN mode community and Primary VLAN ID and Secondary ID :

Set-VMNetworkAdapterVlan -VMName srv3 -VMNetworkAdapterName srv3 -Community -PrimaryVlanId 55 -SecondaryVlanId 11

Set-VMNetworkAdapterVlan -VMName srv4 -VMNetworkAdapterName srv4 -Community -PrimaryVlanId 55 -SecondaryVlanId 11

Check VM configuration by pinging other machines, the SRV2 will only be able to ping SRV1. while SRV3.4 should not be able to communicate with SRV2.


Advertisements

About Hikmat Kanaan

I’m big fan of technology; I have worked almost with every MS windows OS up to Windows 8 and server 2012 including OS deployment, AD and almost every MS OS service included major MS products ISA ,TMS, Exchange, System center ,Sharepoint ,SQL , Storage system, Networking, security, Cisco, HP, and Checkpoint products. Designing and Architecting IT solutions and infrastructure . I do admire automation and working based on best practices toward building highly reliable solution that provide the required services to Business. I also run the Jordan IT professionals user Group http://www.jitpros.net
This entry was posted in Hyper-v, Networking, Tips, Windows 2012 and tagged , . Bookmark the permalink.

11 Responses to Configuring Windows 2012 Private VLAN (PVLAN)

  1. Junior_DD says:

    Hello Hikmat Kanaan,

    great post, thank you. I have a question to PVLANs. It´s possible to use VPLAN into a Hyper-V Cluster of some nodes? The solution should have 2 communites with 4 VMs.

    Every node has a teaming nic with some MP devices. One MP device has the VLAN 111. On the MP with VLAN 111 is the Vswitch VLAN 111 bounded.

    Red1 on Host 1 VLAN 111 community VPAN 50 connected with Vswitch VLAN 111
    Blue1 on Host 1 VLAN 111 community VPAN 51 connected with Vswitch VLAN 111
    Red2 on Host 1 VLAN 111 community VPAN 50 connected with Vswitch VLAN 111
    Blue2 on Host 1 VLAN 111 community VPAN 51 connected with Vswitch VLAN 111

    Red1 doesn´t ping Blue1, that´s ok.
    But Red1 can ping Red2 and also Blue2 ????

    greetz from Germany

    • If I understood your configuration correctly Red1 would be able to ping Red2 (same communities 50 ), Blue1 would be able to ping bule2 (same communities 51 ) , if you need red1 not to ping red 2 it should set to isolated mode , the same hold true for blue 1 and 2.

      sharing your configuration will help understand if something Is not configured correctly

  2. Jacob says:

    How do physical servers come in to play? my core switch is a Procurve 4108GL and the enclosures that the blades are in are using HP GBE2C. They don’t appear to support PVLAN. I’ve noticed when I set the mode to isolated it cannot communicate with even the gateway.

    So the host is set to TRUNK and the VLAN’s primary is VLAN 10 with isolated mode set.

    Just wondering if you can leave PVLAN off on the other physical servers and it still communicate

  3. Jacob says:

    I also noticed in my test that if you move the VM to another host it appears the settings for the PVLAN do not follow

    • it should not follow as this configuration are actually are made the Hyper-V switch , and when machine moves to anther host this is like a new switch that have not yet being configured with PVLANS

      • eldigital911 says:

        Let’s say I have some VM’s on host1 and on host2 that are in the same organization and need to communicate with one another and are part of a community PVLAN. Is this possible, or does it require the assistance with a physical switch which supports PVLANS?

      • eldigital911 says:

        Then how is one supposed to be able to successfully live migrate a VM containing a PVLAN to another host?

  4. eldigital911 says:

    Hikmat, how does this come into play if I want one of these VM’s that has a private VLAN to communicate with another PHYSICAL server on the network? Is this possible? If so please elaborate on how it is accomplished. Thanks!

  5. eldigital911 says:

    Also I don’t understand what the difference between promiscuous mode and community mode is? Would you also elaborate on this? Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s